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(54) System and method for verifying cryptographic postage evidencing using a fixed key set 



(57) A method for controlling keys used in the verifi- 
cation of encoded information generated by a transac- 
tion evidencing device (12) and printed on a document 
(55) comprises the steps of generating a plurality of ran- 
dom verifier master keys (18) to obtain a set (100) of 
verifier master keys consisting of a fixed number of 
keys: generating at least one pointer by applying a 
psuedorandom algorithm to data unique to the transac- 
tion evidencing device (12); calculating a plurality of ver- 
ifier token keys to obtain a verifier token key set (100) 



corresponding to the set of verifier master keys (100); 
encrypting the verifier token key set with a privacy key; 
and distributing the set verifier token keys and the pri- 
vacy key to verifiers (60). The token keys are a function 
of the verifier master keys and a code valid for a limited 
time. The pointer algorithm is an appropriate symmetric 
key cryptographic algorithm and the code is function of 
a date dependent parameter. The master keys are dis- 
tributed to postal and vendor data centers. 
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Description 

The present invention relates generally to a method 
for verifying indicia and, more particularly, to such 
method for verifying indicia using a fixed key set. 5 

Digital printing technology has enabled mailers to 
implement digital, i.e. bit map addressable, printing for 
the purpose of evidencing payment of postage. 
Advances in digital printing technology have made it 
possible to print on a mailpiece a postage indicium that w 
is unique to the mailpiece. The indicium is unique 
because it includes information relating directly to the 
mailpiece, for example, postage value, date, piece 
count origin postal code and/or destination postal code 
(referred to herein as indicium information or indicium is 
data). 

From the Postal Service's perspective, it will be 
appreciated that the digital printing and scanning tech- 
nology make it fairly easy to counterfeit a postal value 
bearing indicium since any suitable computer and 20 
printer may be used to generate multiple copies of an 
image once generated. 

In order to validate an indicium printed on a mail- 
piece, that is to ensure that accounting for the postage 
amount printed on a mailpiece has been properly done, 25 
it is known to include as part of the franking an 
encrypted number such that, for instance, the value of 
the franking may be verified from the encrypted data in 
the indicium to learn whether the value as printed on the 
mailpiece is correct. See, for example, U.S. Patent Nos. 30 
4,757,537 and 4,775,246 to Edelmann et al., as well as 
U.S. Patent No. 4,649,266 to Eckert. It is also known to 
authenticate a mailpiece by including the address as a 
further part of the encryption as described in U.S. Pat- 
ent No. 4,725,718 to Sansone et al. and U.S. Patent No. 35 
4,743,747 to Fougere et al. 

U.S. Patent No. 5,170,044 to Pastor describes a 
method and apparatus for the representation of binary 
data in the form of an indicium comprising a binary array 
of pixels. The actual arrays of pixels are scanned in 40 
order to identify the sender of the mailpiece and to 
recover other encrypted and plain text information. U.S. 
Patent No. 5,142,577 to Pastor describes various alter- 
natives to the DES algorithm for encrypting a message 
and for comparing the decrypted postal information to 45 
the plain text information on the mailpiece. 

U.K. Patent Application 2,251 ,21 OA to Gilham 
describes a meter that contains an electronic calendar 
to inhibit operation of the franking machine on a periodic 
basis to ensure that the user conveys accounting infor- so 
mation to the postal authorities. U.S. Patent No. 
5,008,827 to Sansone et al. describes a system for 
updating rates and regulation parameters at each meter 
via a communication network between the meter and a 
data center. While the meter is on-line status registers in 55 
the meter are checked and an alarm condition raised if 
an anomaly is detected. U.S. Patent No. 4,853,961 to 
Pastor describes critical aspects of using public key 



cryptography for mailing applications. 

U.S. Patent No. 5,390,251 to Pastor et al. describes 
a system for controlling the validity of printing of indicia 
on mailpieces from a potentially large number of users 
of postage meters including apparatus disposed in each 
meter for generating a code and for printing the code on 
each mailpiece. The code is an encrypted code repre- 
sentative of the apparatus printing the indicium and 
other information uniquely determinative of the legiti- 
macy of postage on the mailpieces. The keys for the 
code generating apparatus are changed at predeter- 
mined time intervals in each of the meters. A security 
center includes apparatus for maintaining a security 
code database and for keeping track of the keys for gen- 
erating security codes in correspondence with the 
changes in each generating apparatus and the informa- 
tion printed on the mailpiece by the postage meter 
apparatus for comparison with the code printed on the 
mailpiece. There may be two codes printed, one used 
by the Postal Service for its security checks and one by 
the manufacturer. The encryption key may be changed 
at predetermined intervals or on a daily basis or for 
printing each mailpiece. 

Recently digital meters, such as PostPerfect™ and 
Personal Post Office™ both manufactured- by the 
assignee of the present invention, have been devel- 
oped. Such digital meters employ cryptographic means 
to produce evidence of postage payment. The encryp- 
tion is performed using cryptographic keys for signing 
indicium data printed on the envelope with two "digital 
tokens'*. In each digital meter, independent keys stored 
therein are used for generating two digital codes or 
tokens needed for verification of indicia printed on mail- 
pieces. One digital token provides evidence of postage 
paid to the Postal Service, and the second digital token 
provides evidence to the vendor, such as the assignee 
of the present invention. As used herein, a digital token 
is a truncation of the result of a symmetric-key crypto- 
graphic transformation, such as a truncated Data 
Encryption Standard Message Authentication Code, 
applied to data appearing in the indicium. The indicium 
data elements, also referred to herein as input postal 
data or simply postal data, may include postage value, 
date, register values, postal code of the geographical 
deposit area, recipient address information and piece 
count. A verifier with access to a key matching the key 
used for generating the digital token in the digital meter 
performs digital token validation, i.e., verification that 
accounting for the postage value printed in the indicium 
has been properly done. 

For security reasons, the keys in each meter are dif- 
ferent Information about the meter and mailpiece are 
combined and separately encrypted with vendor and 
with postal master keys or keys derived therefrom. Por- 
tions of the resulting information are printed on the mail 
piece as digital tokens. The indicium information and 
the associated digital tokens can be verified by a device 
that processes the information in the same manner with 
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the same keys and compares the resulting digital tokens 
with those printed on the mail piece. 

It will be appreciated that in order to verify the indi- 
cium information printed on a mailpiece, a verifier must 
first be able to obtain the key used by the particular 
meter that generated the indicium. In trying to deal with 
mailing systems which may incorporate such encryption 
systems, it must be recognized that the meter popula- 
tion is large and subject to constant fluctuation as 
meters are added and removed from service. If the 
same key were to be used for ail meters, the key distri- 
bution is simple but the system is not secure. Once the 
code is broken by anyone, the key may be made availa- 
ble to other users and the entire operation is compro- 
mised. However, if separate keys are used respectively 
for each meter then key management potentially 
becomes extremely difficult considering the fluctuations 
in such a large population. 

European Patent Publication No. 0647924 filed 
October 7, 1994 , and assigned to the assignee of the 
instant application, describes a key management sys- 
tem for mail processing that assigns one of a set of pre- 
determined keys by a determined relationship to a 
particular meter, effectively allowing multiple meters to 
share a single key. The key management system 
includes the generation of a first set of keys which are 
then used for a plurality of respective postage meters. A 
first key of the first set of keys is then related to a spe- 
cific meter in accordance with a map or algorithm. The 
first key may be changed by entering a second key via 
an encryption using the first key. 

U.S. Patent No. 5,661,803 to Cordery et. al. and 
assigned to the assignee of the instant application, 
describes a method of token verification in a Key Man- 
agement System. The method provides a logical device 
identifier and a master key created in a logical security 
domain to a transaction evidencing device, such as a 
digital postage meter. A master key record is created in 
a key verification box, and the master key is securely 
stored as a record in a Key Management System 
archive. Evidence of the transaction information integ- 
rity and the master key record from the Key Manage- 
ment System archive are input into a token verification 
box. The token verification box determines that the mas- 
ter key is valid, uses the master key to verify the evi- 
dence of transaction information integrity, and outputs 
an indication of the result of the verification of the evi- 
dence of transaction information integrity. The master 
key record includes the logical device identifier, the 
master key and a digital signature associating the logi- 
cal device identifier and the master key. The token veri- 
fication box checks the digital signature to verify the 
association of the logical device identifier and the mas- 
ter key within the logical security domain. 

It has been found that distributing master keys of 
the digital meters to verifiers may jeopardize the secu- 
rity of the verification system. The present invention per- 
forms verification of indicia using time dependent "token 



keys" that are valid for a limited time. Thus, the present 
invention provides a verification system that includes a 
verifier that does not require access to master keys 
stored in the digital meters to perform verification of indi- 

s cia. It has been found that the present invention 
improves security of digital meters by providing a simpli- 
fied means for posts to validate indicia in real time and 
reduces the need to recreate or communicate the mas,- 
ter keys of the digital meters. It has also been found that 

w the present invention minimizes the cost of verification 
by taking advantage of existing postal processes and 
infrastructure. It has further been found that the present 
invention achieves interoperability of the indicium verifi- 
cation infrastructure with postal processing. An impor- 

75 tant element of the verification infrastructure is the cost 
of maintenance of a correct, secure and timely corre- 
spondence between postage evidencing keys and post- 
age verification keys. 

The present invention provides for validation at 

20 local or regional post offices. The token key set contains 
a fixed number of encrypted verification token keys that 
are date, dependent, for example, preferably valid for 
only one month. If the verification token key set is stolen 
or compromised in any way, it is only useful for a limited 

25 time, such as one month. 

The postal data is read from the indicia. The 
encrypted, date dependent token key for the meter is 
retrieved from the token key set stored at the verifier. 
The verifier decrypts the verification token key and gen- 

30 erates a digital verifier token using the verification token 
key with the postal data. Finally, the verifier compares 
the generated verifier token to the verifier token read 
from the indicia and a pass/fail determination is made to 
complete the validation process. 

35 In accordance with an embodiment of the present 
invention three digital tokens are used to evidence post- 
age. One token is verified, as needed, by the Postal 
Service and a second is verified, as needed, by the ven- 
dor. These first two tokens are the same as set forth in 

40 U.S. Patent No. 5,390,251, previously noted. The third 
token is added for distributed postal verifiers for "real 
time" verification. To simplify key management for the 
verifiers, a fixed Master Verifier fixed size Key Set, e.g., 
1000 keys, provides a method to verify indicia without 

45 distributing data for each meter produced. The fixed key 
set is used to generate a set of time dependent token 
keys. These token keys are only valid for a limited time 
period. The token key set is signed by the Postal Serv- 
ice and encrypted with a special purpose privacy key for 

so each verifier periodically, for example, once per month. 
The Postal Service encrypts the token key set with a pri- 
vacy key to ensure confidentiality of the token key set. 
The privacy key is encrypted with a session key that is 
unique for each verifier. The session keys are distre- 
ss uted via an alternate channel, for example through 
physical means. The session keys are updated regu- 
larly. The distributed session keys are updated regularly, 
and distributed by an alternate channel. A secure co- 
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processor for each verifier maintains the confidentiality 
of the token key while it is decrypted for verifying an ind- 
icium. The co-processor must be physically secure to 
protect the token keys that have been distributed. If a 
secure co-processor of a verifier is compromised, such 5 
compromise will not provide access to future token 
keys. 

The above and other objects and advantages of the 
present invention will be apparent upon consideration of 
the following detailed description, taken in conjunction 10 
with accompanying drawings, in which like reference 
characters refer to like parts throughout, and in which: 

Fig. 1 is a block diagram of a prior art postage evi- 
dencing and verification system; is 
Fig. 2 is a block diagram of a postage evidencing 
and verification system in which an embodiment of 
the present invention may be performed; 
Fig. 3 is a flow chart of the initialization and distribu- 
tion of a fixed key set of verifier token keys; 20 
Fig. 4 is a flow chart of token verification by a veri- 
fier; 

Fig. 5 is a flow chart of complete verification by the 
postage evidencing and verification system; 
Fig. 6 is a block diagram of data proposed for an 25 
OCR version of a fixed key set indicium in accord- 
ance with an embodiment of the present invention; 
and 

Fig. 7 is a block diagram of data proposed for a bar- 
code version of a fixed key set indicium in accord- 30 
ance with another embodiment of the present 
invention. 

In describing the present invention, reference is 
made to the drawings, wherein there is seen in Fig. 1 a 35 
prior art system, generally designated 10, for verifying 
cryptographic postage evidencing using a fixed key set. 
The system in accordance with an embodiment of the 
present invention comprises a digital meter 12 interact- 
ing with a plurality of different security or forensic cent- 40 
ers: a postal data center 20 and a vendor data center 
30. A meter manufacturer 40 manufactures a custom- 
ized digital meter 12 with a meter number 14, a postal 
master key 16 and a vendor master key 18. The postal 
master key 1 6 is stored in a master key database 22 at 45 
the postal data center 20. The vendor master key 18 is 
stored in a master key database 32 at the vendor data 
center 30. When meter 12 is initialized the postal and 
vendor master keys are used to generate in the meter 
respective postal and vendor token keys 24 and 34. so 

Preferably, the postal and vendor token keys are 
date dependent, for example, each being valid for only 
one month at which time new token keys must be gen- 
erated. The postal and vendor token keys 24 and 34 are 
used to generate respective unique postal and vendor 55 
tokens which are encrypted numbers based on postal 
data uniquely attributable to the particular meter 12. For 
a more detailed description of the generation of digital 



tokens, see U.S. Patent Application 5,390,251, previ- 
ously noted. 

The postal token key 24 is used by meter 1 2 to gen- 
erate a postal digital token which is printed on a mail- 
piece 55. The postal data center 20 verifies the postal 
token read from mailpiece 55 using the postal token key 
24 which is generated at the postal data center 20 using 
the postal master key 16 and postal data read from the 
indicium of mailpiece 55. Likewise, the vendor token key 
34 is used by meter 12 to generate a vendor digital 
token which is printed on mailpiece 55. The vendor data 
center 30 verifies the vendor token read from mailpiece 
55 using the vendor token key 34 which is generated at 
the vendor data center 30 using the vendor master key 
18 and postal data read from the indicium of mailpiece 
55. 

Further details of verifying cryptographic postage 
evidencing using a fixed key set are to be found in Euro- 
pean Patent Publication No. 0647924, filed fillin "date 
patent was filed" October 7, 1994, previously noted, 

Referring now to Fig. 2, a system in accordance 
with the present invention is shown for verifying crypto- 
graphic postage evidencing using a fixed key set. The 
system components that are identical to the prior art 
system shown in Fig. 1 , which are designated with the 
same reference numerals, operate in the manner 
described above. 

The postal and vendor data centers 20 and 30, 
wherever maintained, are connected electronically, for 
example by telecommunication, with any or all verifica- 
tion centers, also referred to herein as verifiers, one of 
which is indicated here at 60. 

The present invention provides in one embodiment 
a symmetric-key truncated message authentication 
code (MAC) based system that simplifies key manage- 
ment issues for verifiers. (A symmetric-key truncated 
MAC is also referred to herein as a digital token.) Three 
digital tokens provide postage evidence to three differ- 
ent authorities: the postal data center 20, the vendor 
data center 30, and the verifiers 60. The main difference 
in the three digital tokens is the key management sys- 
tem. The Post verifies one digital token off-line at the 
secure postal data center 20. The vendor secure data 
center 30 has the key to validate the second digital 
token when required. These first two digital tokens are 
similar to those described in U.S. Patent No. 5,390,251, 
previously noted, and currently produced for Personal 
Post Office digital meters manufactured by Pitney 
Bowes of Stamford, Connecticut. During meter manu- 
facture, the vendor securely generates and encrypts the 
keys used to produce these first two digital tokens, and 
assigns them to each meter. A secure key management 
system stores the keys in signed, encrypted records, 
that include meter serial number and key status. 

As used herein, on-line verification is verification 
performed during the real-time processing of the mail- 
pieces; and off-line verification is verification performed 
separate from the real-time processing of the mail- 



20 



4 



BNSOOCID: <EP 0854444 A2_l_> 



7 



EP 0 854 444 A2 



pieces. 

In accordance with an embodiment of the present 
invention the third, or verifier, digital token is for distrib- 
uted postal verifiers which perform the only on-line veri- 
fication. The keys 50 are selected from a fixed Verifier 
Master Key Set 100. Although, there is a security trade- 
off in using a fixed key set, off-line verification of postal 
and vendor digital tokens compensates for this trade-off. 
The present invention provides an advantage over pre- 
vious methods for verifying indicia integrity because ver- 
ification is achieved without distributing unique keys 
stored in each meter 

The Verifier Master Key Set 100 is not distributed to 
verifiers 60. The distributed keys are from an intermedi- 
ate Token Key Set 110, generated at the postal data 
center 20, based on the month and year, using the Ver- 
ifier Master Key Set 100. Token keys are only valid for 
one month. 

The Token Key Set 110 is securely communicated 
to the verifiers 60. It may be signed by the Postal Serv- 
ice and is encrypted with a fresh privacy key. A verifier 
specific distribution key encrypts the privacy key. The 
verifiers securely receive fresh distribution keys through 
an alternate channel, for example, by physical distribu- 
tion. Like all symmetric-key systems, the verifier 60 
requires access to a secret-key of each meter to verify 
indicia. Each meter 12 generates its token key in an 
intermediate step prior to generating a digital token. The 
verifier 60 retrieves the token key from the Token Key 
Set 110. 

In this manner, the system protects the Verifier 
Master Key Set 100. If the Token Key Set is compro- 
mised, thus exposing current token keys, such compro- 
mise does not provide access to future token keys. 
Furthermore, this type of failure can be detected using 
the vendor and postal digital tokens. A physically secure 
co-processor, for each verifier, maintains confidentiality 
of the decrypted token keys which verify indicia. The 
Token Key Set 1 10 is always encrypted while it is out- 
side the secure co-processor. When presented with ind- 
icium data, the verifier responds only with a message 
that the indicium is valid or invalid. The verifier does not 
respond with the valid digital token. 

Compared to a public-key system, there is much 
less cryptographic indicia data with the symmetric-key 
system described herein. Either an OCR or a bar code 
symbology fits the area currently allocated for the indi- 
cium. If the data is printed in a bar code, a large module 
size can be used, improving readability. Error correction 
improves readability, for example, at PDF417 security 
level 3, the indicium has over 25% of the data as error 
correction code, resulting in a robust indicium that is 
easier to print and read. The OCR version allows for 
error-correction code and human back-up of the auto- 
mated scanning process. 

Referring now to Fig. 3 a process for the initializa- 
tion and distribution of a fixed key set of verifier token 
keys is shown in accordance with the preferred embod- 



iment of the present invention. At step 200. the Manu- 
facturer 40 generates a random verifier master key 
"1000 key" set 100. 

At step 210, Manufacturer 40 generates triple DES 
s pointer keys. 

At step 220, Manufacturer 40 distributes the verifier 
master key set 100 and pointer keys to the Vendor and 
Postal Data Centers 30 and 20. 

At step 230, the Postal Data Center 20 calculates 
10 monthly token keys for a verifier token key set 1 10, and 
encrypts the verifier token key set with a distribution key. 

At step 240, the Postal Data Center 20 establishes 
a session key with each verifier 60. 

At step 250, the Postal Data Center 20 encrypts the 
15 distribution key with each verifier session key, and, at 
step 260, distributes the token key set and the 
encrypted distribution key to each of the verifiers. Steps 
230 through 260 are repeated each month. 

Referring now to Fig. 4, a process for secure co- 
20 processor verifier token verification is shown in accord- 
ance with the preferred embodiment of the present 
invention. At step 300, the verifier 60 receives indicium 
data and a meter number 14 read from an indicium 
being verified. At step 310, verifier 60 uses the triple 
25 DES pointer keys to obtain pointers related to the meter 
12 that printed the indicium being verified. At step 320, 
verifier 60 uses the pointers to retrieve the encrypted 
verifier token keys 34 of the meter 12 and then decrypts 
the retrieved keys. At step 330, verifier 60 regenerates 
30 the verifier token 34, and, at step 340, compares the 
regenerated verifier token from the indicium with the 
verifier token retrieved from the verifier token key set 
110. 

Referring now to Fig. 5, the overall verification proc- 

35 ess is shown in accordance with the preferred embodi- 
ment of the present invention. At step 400, the indicium 
printed on a mailpiece is scanned to obtain indicia data, 
including a verifier token and a meter number included 
therein. At step 405, verifier 60 performs verifier token 

40 verification as set forth above. If verification is success- 
ful, at step 410, the mailpiece is verified and the indicia 
data is sent, at step 415, to the Postal Data Center 20, 
on a sample basis for off-line verification. If the verifica- 
tion was not successful, then a fraud investigation is 

45 performed at step 420. 

At step 425, the Postal Data Center 20 performs off- 
line verification of the postal token in the indicia data. If 
successful, then, at step 430, the indicia data is sent to 
the Vendor Data Center 30 for further off-line verrfica- 

so tion. If any verification is not successful, then a fraud 
investigation is performed at step 435. 

At step 440, the Vendor Data Center 30 performs 
off-line verification of the vendor token in the indicia 
data. If successful, then, at step 445, the verification 

55 process of the mailpiece has been successfully con- 
cluded. If the verification was not successful, then a 
fraud investigation is performed at step 450. 

The cryptographic strength of the algorithm is as 
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strong as multiple DES. Other suitable symmetric key 
algorithms can be adapted for the purpose of the 
present invention. The fixed set of keys simplifies key 
management for remote postal verifiers. The additional 
infrastructure required is a secure co-processor for 
each verifier, generation and distribution of a small set 
of token keys once per month and provision of a distri- 
bution key to each verifier periodically. None of these 
requirements adds significantly to the cost. The verifiers 
already need the capability to transfer files for the miss- 
ing meter list, the duplicate detection lists, and for distri- 
bution of public-keys. 

Mailers will continue finishing mail using mailing 
machines. The proposed symmetric key system pro- 
vides multiple paths of payment assurance through a 
few digits added to indicia information. 

There are various methods of generating the Veri- 
fier Master Key Set 100. A minimum data solution is to 
derive the keys based on the meter number through a 
cryptographic algorithm. The meter does not require 
this algorithm, but the verifier needs to be able to calcu- 
late keys for each meter. A good solution is to generate 
a large set of random keys indexed by meter number 
before manufacturing the meters. The present invention 
provides an intermediate solution using a fixed key set, 
e.g., one thousand keys, from which the meter keys are 
derived. 

The meter generates the postal and vendor digital 
tokens, by keys known to the postal data center 20 and 
vendor data center 30, respectively. Distributing these 
keys to postal verifiers 60 would require an infrastruc- 
ture that would be beyond a desired postal infrastruc- 
ture. 

The verifier digital token is a truncated triple DES 
MAC. The verifier 60 selects three DES keys used to 
generate the MAC from the Token Key Set 110. The 
three pointers used to select the keys are derived by a 
cryptographic pseudo-random function based on the 
meter number 14. The meter 12 has no information 
about this function. The meter generates the verifier 
token keys using its Verifier Master Keys 50. 

A table of 2 N Verifier Master Keys are generated 
independently and randomly. The table index is an N bit 
long pointer p. In the preferred embodiment, N = 10, 
which yields 1,024 Verifier Master Keys. Each meter 12 
uses an ordered set of three Verifier Master Keys 50, 
resulting in one billion different meter key sets. 

A secure co-processor signs and encrypts this set 
of keys. The encrypted key set is securely shared by the 
postal data center 20, and the vendor data center 30. 
Access to the encrypted list is limited to secure co-proc- 
essors at the vendor data center 30 and the postal data 
center 20. The vendor data center 30 installs keys into 
meter 12 through the manufacturing operation 40. The 
postal data center 20 uses the Verifier Master Key Set to 
generate the Verifier Token Key Set 110. 

The meter 12 and the verifier 60 use token keys to 
calculate the verifier digital token via a truncated CBC- 



DES MAC, ("CBC" is cipher-block-chaining mode of 
DES): 

truncate( DES(Kt 3 , Data 3 © DES(Kt 2 , Data 2 © 
DES(KtL Datal))) ). 

5 The 0 symbol is exclusive-or. The three data blocks 

all contain variable postal data, such as the piece count. 
The truncation operation results in a correct digital 
token, at least 10 bits long, with very low probability that 
the verifier digital tokens can be guessed correctly. 

w 

KEY MANAGEMENT 

A triple-DES algorithm derives pointers from the 
meter identification number: 
15 DES(K 1( DES (K 2 , DES(K 3 , meter identification 

number))) = (D,p 1( p 2 , p 3 ). 

The keys Kj are known to secure co-processors 
located at the vendor and postal data centers, and at 
the verification sites. There may be multiple sets of 
20 these keys, based on vendor and meter data. 

The pointers Pj are, for example, each 10 bits long, 
and D is the remaining, discarded 34 bits. The size of 
the database depends on these numbers. Each Verifier 
Master Key K(pj) is an ordered pair of two DES keys, 
25 (Ko(Pj), K^pj)). Each meter is initialized with K(p-i). 
K(p 2 ), and K(p 3 ) corresponding to the meter identifica- 
tion number. 

The verifier master keys 50, acting on the date 
(MMYYYY), using triple DES, produce the monthly ver- 
30 ifier token keys: 

Kt, = DES(Ko( Pl ), DESfl^p,). DES(K 0 < Pl ). 
MMYYYY) ) ), 

Kt 2 = DES(K 0 (p 2 ), DES(K 1 (p 2 ), DES(K 0 (p^, 
MMYYYY) ) ), 

35 Kt 3 = DES(Ko(p 3 ). DESCK^pa). DES(K 0 (P3), 

MMYYYY) ) ). 

These verifier token keys 52 are valid for a selected 
period of time, for example, one month. Given the cur- 
rent verifier token keys, the problem of an attacker cal- 

40 culating the verifier master keys or the verifier token 
keys for any other month is intractable. 

Initialization data in each verifier 60 allows mutual 
authentication with the postal data center 20. This infor- 
mation may be public-key certificates of the verifier 60 

45 and the postal data center 20. The verifier secure co- 
processors must be securely distributed and managed. 
Each month, when receiving new token keys, the verifier 
60 is remotely inspected to be sure it is present and not 
tampered. 

so The postal data center 20 generates monthly distri- 
bution keys 52 for each verifier 60. A monthly privacy 
key is used to provide confidentiality of the Token Key 
Set 110. The postal data center 20 distributes the 
monthly Token Key Set 110 to verifiers 60, encrypted 

55 with the monthly privacy key. This file has a reasonable 
size: If the fixed key set 110 provides a unique key for 
each meter number, then the size equals the number of 
meters times 16 bytes per key, and the Token Key Set 
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110 can be distributed by a monthly CD-ROM sent to 
the verifiers 60, or downloaded via the network. If the 
fixed key set 1 1 0 contains a few thousand keys, then its 
size is a few times 16 kilobytes. It can be distributed to 
the verifiers 60 by a monthly diskette, or through a rea- 5 
sonable size downloaded file. 

There is a risk of exposing Verifier Master Keys in 
this system. In order to allow recovery if this happens, 
the system needs a method of updating the keys. This 
requires a secure method of installing new keys in each w 
meter 12, and a key version number in the indicium so 
the verifier 60 can select the correct key set during an 
interim period, for example, before all new keys are 
installed. 

75 

FIXED KEY SET INDICIA 

The data proposed for the Fixed Key Set indicium is 
outlined above. The only additions are the verifier digital 
token and additional error-correction code. Fig. 6 shows 20 
the data in an OCR version. Fig. 7 illustrates a bar code 
version. 

The present invention is described in a preferred 
embodiment for the verification of postage evidencing 
printed on a mailpiece. It will be understood by those 25 
skilled in the art that the present invention is suitable for 
use in verifying any physical object which carries infor- 
mation in a visual form. 

While the present invention has been disclosed and 
described with reference to a single embodiment 30 
thereof, it will be apparent, as noted above, that varia- 
tions and modifications may be made therein. It is, thus, 
intended in the following claims to cover each variation 
and modification that falls within the true spirit and 
scope of the present invention. 35 

PostPerfect™ and Personal Post Office™ are trade- 
marks of Pitney Bowes Inc., the assignee of the present 
invention. 

Claims 40 

1 . A method for providing keys used in the verification 
of encoded information generated by a transaction 
evidencing device (12) and printed on a document, 
the method comprising the steps of: 45 

generating (200) a plurality of random verifier 
master keys (18) to obtain a set (100) of verifier 
master keys consisting of a fixed number of 
keys; 50 

generating (210) at least one pointer by apply- 
ing a psuedorandom algorithm to data unique 
to the transaction evidencing device (12); 

55 

calculating (230) a plurality of verifier token 
keys (34) to obtain a verifier token key set (110) 
corresponding to the set of verifier master keys; 



encrypting (230) the verifier token key set with 
a privacy key; and 

distributing (260) the verifier token key set 
(110) and the privacy key to verifiers (60). 

2. The method of Claim 1 comprising the further step 
of: 

distributing master keys to postal and vendor 
data centers (20,60). 

3. The method of Claim 1 or 2 wherein the token keys 
are a function of the verifier master keys and a code 
valid for a limited time. 

4. The method of Claim 3 wherein the code is function 
of a date dependent parameter. 

5. The method of any one of the preceding claims 
wherein the pointer algorithm is an appropriate 
symmetric key cryptographic algorithm . 

6. The method of any one of the preceding claims 
wherein the step of distributing the set of verifier 
token keys and the privacy key to verifiers com- 
prises the further steps of: 

setting up (240) a session key with each veri- 
fier; and 

encrypting (250) the privacy key with each ver- 
ifier session key. 

7. The method of any one of the preceding claims 
comprising the further step of: 

selecting at least one of the verifier token keys 
for verification of the encoded information 
printed on a document. 

8. The method of Claim 7 wherein the step of select- 
ing the verifier token keys includes using data 
unique to the transaction evidencing device (12) 
that is printed on the document being verified. 

9. A method of verifying indicia by a verifier (60), the 
method comprising the steps of: 

obtaining (300) indicium data and a transaction 
evidencing device identification from an item; 
using a pointer algorithm (310) to find pointers; 
retrieving (320) token keys for the transaction 
evidencing device (12); 

computing (330) a verifier token based on the 
retrieved token key; and 
comparing (340) the computed token with the 
verifier token from the indicium data. 
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10. The method of Claim 9 comprising the further step 
of: 

investigating for fraud when the computed 
token is different from the verifier token. 5 

1 1 . The method of Claim 9 or 10 comprising the follow- 
ing further steps when the computed token is the 
same as the verifier token: 

w 

verifying a postal token from the indicium data; 
and 

verifying a vendor token from the indicium data. 

1 2. The method of Claim 9, 1 0 or 1 1 wherein the step of is 
retrieving token keys for the transaction evidencing 
device includes decrypting the token keys. 

13. The method of any one of Claims 9 to 12 compris- 
ing the further step of: 20 

storing at least one of said master keys into a 
transaction evidencing device. 

14. A method for providing keys used in the verification 25 
of encoded information generated by a transaction 
evidencing device (12) and printed on a document 
(55), the method comprising the steps of: 

storing in a data center database a set (100) of 30 
verifier master keys; 

encrypting a date with each of said master keys 
in said set of verifier master keys to obtain a 
corresponding set (1 10) of verifier token keys; 
distributing (260) said set of verifier token keys 35 
to at least one verification site; 
reading (300) plain text information printed on a 
mailpiece, said plain text information including 
information identifying the transaction evidenc- 
ing device (12); 40 
finding a date dependent key Kdd correspond- 
ing to the particular transaction evidencing 
device by means of a determined relationship 
associated with the transaction evidencing 
device, said relationship being derived as a 45 
predetermined function of identifying data of 
the transaction evidencing device 
encrypting said identifying data with said date 
dependent key to obtain a final key K f j nat ; 
encrypting at least some part of the plain text so 
information using said final key K fjna , to obtain a 
code; 

comparing said code with encoded information 
printed on the mailpiece; and 
validating the mailpiece when said code ss 
matches said encoded information. 
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